[kernel] r6610 - in
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian:
patches patches/series
Dann Frazier
dannf at costa.debian.org
Fri May 19 22:52:07 UTC 2006
Author: dannf
Date: Fri May 19 22:52:06 2006
New Revision: 6610
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/211_usb-gadget-rndis-bufoverflow.diff
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3
Log:
* 211_usb-gadget-rndis-bufoverflow.diff
[SECURITY] Fix buffer overflow in the USB Gadget RNDIS implementation that
allows for a remote DoS attack (kmalloc'd memory corruption)
See CVE-2006-1368
Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Fri May 19 22:52:06 2006
@@ -16,8 +16,12 @@
[SECURITY] Fix vulnerability that allows remote attackers to conduct an
Idle Scan attack, bypassing intended protections against such attacks
See CVE-2006-1242
+ * 211_usb-gadget-rndis-bufoverflow.diff
+ [SECURITY] Fix buffer overflow in the USB Gadget RNDIS implementation that
+ allows for a remote DoS attack (kmalloc'd memory corruption)
+ See CVE-2006-1368
- -- dann frazier <dannf at debian.org> Fri, 19 May 2006 17:17:39 -0500
+ -- dann frazier <dannf at debian.org> Fri, 19 May 2006 17:51:10 -0500
kernel-source-2.4.27 (2.4.27-10sarge2) stable-security; urgency=high
Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/211_usb-gadget-rndis-bufoverflow.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/211_usb-gadget-rndis-bufoverflow.diff Fri May 19 22:52:06 2006
@@ -0,0 +1,42 @@
+Fix for CVE-2006-1368.
+
+Signed-off-by: Troy Heber <troyh at debian.org>
+
+diff-tree 8763716bfe4d8a16bef28c9947cf9d799b1796a5 (from d5ec33490c67affef93aebf76e1238260c82d377)
+Author: Shaun Tancheff <shaun at tancheff.com>
+Date: Wed Feb 22 19:47:19 2006 -0800
+
+ [PATCH] USB: Gadget RNDIS fix alloc bug. (buffer overflow)
+
+ Remote NDIS response to OID_GEN_SUPPORTED_LIST only allocated space
+ for the data attached to the reply, and not the reply structure
+ itself. This caused other kmalloc'd memory to be corrupted.
+
+ Signed-off-by: Shaun Tancheff <shaun at tancheff.com>
+ Signed-off-by: David Brownell <dbrownell at users.sourceforge.net>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff -urN kernel-source-2.6.8.orig/drivers/usb/gadget/rndis.c 2.6/drivers/usb/gadget/rndis.c
+--- kernel-source-2.6.8.orig/drivers/usb/gadget/rndis.c 2004-08-13 23:36:13.000000000 -0600
++++ 2.6/drivers/usb/gadget/rndis.c 2006-05-18 12:10:41.000000000 -0600
+@@ -853,12 +853,15 @@
+ // DEBUG("%s: OID = %08X\n", __FUNCTION__, cpu_to_le32(buf->OID));
+ if (!rndis_per_dev_params [configNr].dev) return -ENOTSUPP;
+
+- /*
+- * we need more memory:
+- * oid_supported_list is the largest answer
+- */
+- r = rndis_add_response (configNr, sizeof (oid_supported_list));
+-
++ /*
++ * we need more memory:
++ * gen_ndis_query_resp expects enough space for
++ * rndis_query_cmplt_type followed by data.
++ * oid_supported_list is the largest data reply
++ */
++ r = rndis_add_response (configNr,
++ sizeof (oid_supported_list) + sizeof(rndis_query_cmplt_type));
++
+ if (!r) return -ENOMEM;
+ resp = (rndis_query_cmplt_type *) r->buf;
Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3 (original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3 Fri May 19 22:52:06 2006
@@ -2,3 +2,4 @@
+ 208_ia64-die_if_kernel-returns.diff
+ 209_sctp-discard-unexpected-in-closed.diff
+ 210_ipv4-id-no-increment.diff
++ 211_usb-gadget-rndis-bufoverflow.diff
More information about the Kernel-svn-changes
mailing list